Cybersecurity researchers have shed light on a new phishing campaign that has been identified as targeting people in Pakistan using a custom backdoor.
Dubbed PHANTOM#SPIKE by Securonix, the unknown threat actors behind the activity have leveraged military-related phishing documents to activate the infection sequence.
“While there are many methods used today to deploy malware, the threat actors made use of ZIP files with a password-protected payload archive contained within,” researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
The campaign is notable for its lack of sophistication and the use of simple payloads to achieve remote access to target machines.
The email messages come bearing a ZIP archive that purports to be meeting minutes related to the International Military-Technical Forum Army 2024, a legitimate event organized by the Ministry of Defense of the Russian Federation. It’s set to be held in Moscow in mid-August 2024.
Present within the ZIP file is a Microsoft Compiled HTML Help (CHM) file and a hidden executable (“RuntimeIndexer.exe”), the former of which, when opened, displays the meeting minutes as well as a couple of images, but stealthily runs the bundled binary as soon as the user clicks anywhere on the document.
The executable is designed to function as a backdoor that establishes connections with a remote server over TCP in order to retrieve commands that are subsequently run on the compromised host.
In addition to passing along system information, it executes the commands via cmd.exe, gathers the output of the operation, and exfiltrates it back to the server. This includes running commands like systeminfo, tasklist, curl to extract the public IP address using ip-api[.]com, and schtasks to set up persistence.
“This backdoor essentially functions as a command line-based remote access trojan (RAT) that provides the attacker with persistent, covert, and secure access to the infected system,” the researchers said.
“The ability to execute commands remotely and relay the results back to the C2 server allows the attacker to control the infected system, steal sensitive information or execute additional malware payloads.”
